Russian Hackers Targeting U.S. Government Organizations

Russia-based advanced persistent threat actors are targeting the U.S. government and aviation entities, according to FBI and CISA. The threat actor identified as Energetic Bear—active since September 2020—hacked and stole information from government networks.

What happened?

Energetic Bear APT launched a campaign against dozens of SLTT government and aviation networks. They intruded in the compromised network infrastructure and stole data from at least two victim servers.
  • The threat group reportedly looks for user and administrator credentials for initial access; it helps in lateral movement once inside the network. Subsequently, high-value assets are located to exfiltrate data.
  • In one instance, they accessed documents related to network configurations and passwords, standard operating procedures, IT instructions, purchase information, and printed access badges.

How do they operate?

  • They used brute-force attempts and SQL injection attacks. In addition, they tried to exploit vulnerable enterprise products, such as Citrix, Fortinet, and Microsoft Exchange servers.
  • Soon, they compromised Microsoft Office 365 accounts, along with an attempt to exploit the ZeroLogon Windows Netlogon vulnerability (CVE-2020-1472) for privilege escalation.

Recent attacks

Over the time, foreign hackers have kept targeting U.S.-based entities to influence policies, obtain intellectual data, or delegitimize government entities.
  • Recently, Russian hackers launched a misinformation-cum-phishing scam in the U.S. and U.K, claiming Oxford Coronavirus Vaccine might turn people into monkeys. 
  • Revealing an attack on the US Census Bureau from last year, the DHS warned that nation-state actors linked to China, Russia, Iran, and North Korea can attempt to disrupt critical 2020 elections.

An update

Last week, the DoJ indicted six people who were allegedly a part of Sandworm APT, one of the most advanced state-sponsored hacker groups in today’s time, and operated on behalf of the Russian Main Intelligence Directorate (GRU).

Conclusion

Russia-based cyberattacks on the U.S. are common and are expected to continue in the near future. Thus, experts suggest updating VPNs and network infrastructure devices, implementing multi-factor authentication, keeping software up to date, and auditing configuration and patch management programs at regular intervals.